New Anti-spam Initiative Gaining Traction

The Sender Policy Framework would prevent the spoofing of e-mail addresses and hijacking of SMTP servers, common tactics used by spammers to remain anonymous.

A grass-roots movement to improve the SMTP protocol that governs e-mail traffic is gaining acceptance, and its lead developer hopes to get fast-track approval by the Internet Engineering Task Force to make the emerging framework a standard.
The developing framework, known as Sender Policy Framework (SPF), would prevent the spoofing of e-mail addresses and hijacking of SMTP servers, common tactics used by spammers to remain anonymous to the millions of addresses to which they send unsolicited e-mail.
The group behind SPF, known as SMTP+SPF, published its Internet draft Wednesday, the first step on the road to IETF approval, according to Meng Weng Wong, whos spearheading the effort.

Wong, the CTO of e-mail forwarding service Pobox.com, plans to attend the 59th IETF Meeting, which starts Feb. 29 in Seoul, South Korea, to make his case for the IETF to form a working group to study SPF. But Wong said hes hoping for more than that. He wants the IETF to adopt the SPF framework, bypassing the workgroup stage.
"Its very unlikely that thatll happen but itd be valuable for them to do that," Wong said, in Philadelphia. "Workgroups can take years to get anything done."
Wong said hes had in effect a shadow workgroup for the past eight months, with 500 people on an e-mail list exchanging ideas about SPF. He claimed most of the work an IETF workgroup would do has already been accomplished by the SMTP+SPF group.

"It may take a year from now [before SPF goes through the regular IETF process], and no one wants another 12 months of spam," Wong said.
SPF is essentially a whitelisting system that in order to work requires domain owners to publish the IP addresses from which they send e-mail. Mail transfer agents, such as Sendmail, Qmail and Postfix, would then have to match the client IP address with the domain the message is coming from. SPF would also provide "read" technology that the SMTP+SPF group is close to completing, Wong said.
If the client IP address doesnt match the published IP addresses for the domains, the message is rejected before it ever gets to the inbox. Under the existing SMTP protocol, domains cannot limit the use of their names to a set of trusted servers, which SPF would provide.
Today, blacklists work by IP address. In an SPF world, anti-spam activists would blacklist by domain name, knowing that a spammer was not misusing the domain.
Next page: Anti-spam providers throw support behind SPF.